PHP Open Source Software
Saturday, December 23rd, 2006Let me start out by saying how wonderful it is to find and use all of this opensource software written in PHP. To all of the developers who have worked on this in your spare time, I say a very sincere “Thank you.”
Now, to the one point about open source PHP software that drives me crazy, and I am not sure why it is this way or how to fix it. I have downloaded and worked with three different PHP open source software packages so far. All three of these packages send password data using unsecured HTTP connections. I am sure that PHP can use secured HTTPS connection from what I read on the web. But for reasons that I don’t get, these secured connections are not used.
Coming from a Java background, this security hole blows my mind. I can easily see how I might want to check my software as I am traveling. When I travel, I tend to use wireless connections in public libraries or coffee shops. I was burned once when I checked my email while traveling this way. Someone in a coffee shop was packet sniffing and got my password when I logged in. My only defense in this situation was that my previous ISP has not set the email login using SSL, and I had never noticed before. I had just made the assumption that an IPS would set secured pages, like login pages, to use HTTPS by default. After that, I switch ISPs to one that has a better grasp on security.
But what to do about these PHP open source packages? I was comparing how to set up socket connections in PHP and in Java. Java takes care of most of the underlying connection code making it easy and very seamless to the programmer. PHP seems to be not as advanced in this area. With PHP the programmer has to know much of the details of his system.
I will keep working on securing my site. But I am still at a loss to understand why this is not done automatically with these open source programs.
